Insights

Does Your Business Insurance Cover a Pandemic?

For most companies, the answer is no. Check your coverage and guard against cyberattacks as more employees work from home.

By Megan Ryan | March 24, 2020

Closed for business sign on window

As Americans wish for a better defense against COVID-19, American business leaders are also looking for ways to mitigate threats posed by the global pandemic. How do you keep employees and customers safe while juggling remote work situations and potential lost revenue due to closures?

“Business continuity and contingency plans are critical to keeping businesses and organizations functioning in time of crisis,” said John Milek, risk management insurance consultant at BOK Financial Insurance.

Companies likely have business income coverage, but each policy is different, and “most are not going to cover lost income due to a pandemic,” he said.

Instead, they tend to cover clean-up costs related to an "event" causing physical damage and do not include infectious disease as a condition that disrupts business function, and therefore, revenue.

In addition, contingent business interruption insurance, which handles claims for disruptions from a policyholder’s suppliers, will likely not cover COVID-19 or other virus-related losses either.

What if an employee contracts the virus at work?

There are also questions around workers’ compensation claims related to COVID-19. Typically, a worker must be able to establish a connection between the duties of their employment and the infection, and they need to be on the clock and on the premises at the time of exposure or contamination.

Chris Boggs at the Independent Insurance Agents & Brokers of America put it this way: “The simplest test toward determining whether an injury arises out of and in the course and scope of employment is to ask: Was the employee benefiting the employer when exposed to the illness or disease?

But be warned, he advised. That test is subject to the interpretations and intricacies of various state laws.

In addition, some states are implementing paid sick leave for COVID-19 testing, especially in certain high-touch industries like hospitality, child care and home healthcare among others. Check your local regulations for details, as this is changing daily.

How the government is responding

Congress recently passed the Families First Coronavirus Response Act in an effort to ease the pressure during this pandemic and is working on additional relief measures. Here is what’s included:

  • Government employees and employees of employers with fewer than 500 employees who have been on the job for at least 30 days will have the right to take job-protected leave. This is intended to be more inclusive than existing protections under the Family Medical Leave Act (FMLA). Leave can be used for quarantine, to care for an at-risk family member or to care for a child if schools or child care facilities have been closed.
  • Small businesses with fewer than 50 employees will not be required to pay sick or family leave at the discretion of the labor department.
  • States will get access to emergency grants for activities related to processing and paying unemployment insurance benefits. While unemployment differs from state to state, many states are updating statutes to include “job attached” status for an employee who is expected to return to their most recent employer after a brief separation. Check local regulations for details.
  • The bill requires private and public health plans to provide coverage for COVID-19 testing.
  • Businesses will receive some support through tax credits to cover 100 percent of paid sick or family leave wages paid by an employer. The tax credit is allowed against the employer portion of Social Security taxes; caps and limits apply.

Cybersecurity threats

Cybercriminals are seeking to exploit public fears and concerns associated with the coronavirus. Attackers are using phone calls, text messages, and emails to conduct their scams. They may impersonate various charities, banks, law firms, health organizations, such as the World Health Organization (WHO) and the Centers for Disease Control and Prevention (CDC), or even your own company. They are using fear-based language such as “updated list of new cases” or “safety measures” to get unsuspecting victims to react quickly.

Other scams include bogus online purchases, such as vaccines or supplies, investment opportunities, charitable donations or social engineering attacks like an email that appears to be an internal message from a company leader communicating about safety procedures.

“The best defense against these types of scams is awareness,” said Paul Tucker, chief information security officer at BOK Financial. “In addition to health and safety instructions, companies should be communicating with employees about the dangers of cyberattacks and the increased likelihood for phishing scams.”

In addition to being aware of cyberattacks, Tucker indicated that as many companies transition their employees to work from home, the exposure of risk increases. Since implementing a remote work capability is new to some organizations, adequate security measures should be considered, such as connecting to the company network through a virtual private network (VPN) and specific guidance for handling company data.

“Cybercriminals are taking advantage of potential weak points in company risk management protocols during uncertain times,” Kathleen Finley, risk management insurance consultant at BOK Financial Insurance said. “This may not be the first thing employees or company leaders are thinking of right now, but everyone needs to be extra diligent in following company information security protocols.”

Resources are available on cybercrime related to COVID-19:

If a cyberattack were to happen, company cyber insurance may kick in, however, each policy’s coverage is different. As more employees are working remotely, consider the risks of taking work home and be aware of best practices. Are employees accessing systems through a secured network? Have employees taken files home that contain Personally Identifiable Information (PII) or Personal Health Information (PHI) that could be breached? Are you instructing employees to log off and shut down laptops when not in use?

“Human error is often the weakest link in your cybersecurity planning,” Finley said. “For example, accessing and responding to emails and texts on a cell phone is convenient, but it puts you at higher risk of falling victim to social engineering and malicious activity.”

A company’s cyber insurance is designed to mitigate losses from cyber incidents, including data breaches, business interruption and network damage. But these insurance policies are not all the same; make sure you understand what’s covered — and what isn’t — as remote access to company systems increases.

Milek reminds clients that their insurance advisors are there to help them make sense of the specifics of coverage and policy details.

BOK Financial Insurance recommends a variety of best practices for companies to consider now and as they are planning for future situations.

This article will be updated as more information is available.

Insurance products and services are offered by BOK Financial Insurance, a subsidiary of BOK Financial Corporation. Actual employee benefits coverage and services vary depending on group size and number of participants enrolled. Additional fees and exclusions may apply for benefit administration and enrollment technology. The information contained in this article is not intended to be exhaustive nor should any discussion or opinions be construed as professional advice. Please contact BOK Financial Insurance if you have any questions.